In this short talk at the FAIR Institute Breakfast during the 2020 RSA Conference, Ascena Retail CISO Mark Tomallo transferred a lot of knowledge about starting and winning with a FAIR™ program – including a showpiece victory of assessing hundreds of third-party vendors resulting in transferring $2 million to $40 million in liability per vendor.
Hear the details on that, and how Ascena instituted a FAIR-based system of risk acceptance for reviewing and prioritizing projects. “I’ve never seen risk laid out this way,” one executive reacted to one project analysis. “No way I’m signing off on that!”
Mark describes his methodical plan to engage stakeholders with FAIR, such as insisting on FAIR terminology in all risk conversations, involving business owners and SMEs in creating loss tables and running FAIR analyses in stealth mode, only showing results to stakeholders when it serves their interests.
Mark said he knew he was succeeding when he turned back a finding from Audit on a “significant weakness” over default password usage that, under FAIR analysis, turned out to be a negligible risk. His team ran 50,000 simulations to conclusively show that, at the maximum, Ascena faced a $12,000 loss (many organizations find that running this sort of FAIR™-based, enterprise-speed decision support requires a platform like the one offered by the Institute’s technical partner, RiskLens).
“Nothing has changed the perception of security the way that FAIR has allowed us,” Mark says.